Configure Agent Settings for the Prisma Access Agent
Focus
Focus
Prisma Access Agent

Configure Agent Settings for the Prisma Access Agent

Table of Contents

Configure Agent Settings for the Prisma Access Agent

Follow the instructions to customize how your end users interact with the Prisma Access Agent.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Panorama)
  • Check the prerequisites for the deployment you're using
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
The Prisma Access Agent provides default agent configurations that apply to all user groups. You can add an agent configuration to customize how your end users interact with the Prisma Access Agent.
You can configure agent settings in Strata Cloud Manager Managed Prisma Access or Panorama Managed Prisma Access or NGFW deployments.

Configure Agent Settings for the Prisma Access Agent (Strata Cloud Manager)

For Strata Cloud Manager Managed Prisma Access deployments, follow the instructions to customize how your end users interact with the Prisma Access Agent.
The Prisma Access Agent provides default agent configurations that apply to all user groups. You can add an agent configuration to customize how your end users interact with the Prisma Access Agent.
You can use the following instructions for Strata Cloud Manager Managed Prisma Access deployments.
  1. Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
  2. Click Add Agent Settings.
  3. Create an app configuration rule. The configuration rule associates one or more groups of users with app settings that are specific to those users.
    1. In the Detail section, enter a Name for the rule.
    2. Specify the Match Criteria by adding User Entities. Users and groups that match the User Entities criteria will receive the Prisma Access Agent app settings that you specify.
      • Select the endpoint OS that the app settings apply to. Selecting Match Any will apply the app settings to all supported operating systems. The default is Match Any.
      • To deploy the configuration to all users, set User Entities to Match any. This setting is the default.
      • To deploy the configuration to specific user groups or users, set User Entities to Match AnyAdd User and select from the list of user entities. Examples of user entities include usernames and user groups, which are available in cloud directory attributes such as Common Name (CN) and Domain Component (DC).
        Click the + sign to add another user or group. To remove a user or group, click the name of the user or group and select Remove.
        If you did not configure a security policy for a user group, you can't use the group in the Add Agent Settings page. If you select this user group, the agent configuration settings won't be pushed to the endpoints in this group.
  4. Configure the app settings for the Prisma Access Agent.
    • Connect—Specify how the Prisma Access Agent connects to Prisma Access. This setting is required.
      • Select Every time the user logs on to the machine (Always on) to automatically establish a connection to Prisma Access every time the user logs on to an endpoint.
        For Panorama Managed Prisma Access, select Always On.
      • Select Only when the user clicks Connect (On demand) to connect to Prisma Access only when the user clicks Connect (the lock icon) in the Prisma Access Agent.
        For Panorama Managed Prisma Access, select On Demand.
      • Select Even before the user logs on to the machine (Pre-logon) to establish a pre-logon tunnel to Prisma Access before a user logs in to their device. The pre-logon tunnel provides essential network access for managing and updating remote devices without requiring end-user authentication.
    • Disable Agent—Specify whether to give your users the ability to disable the Prisma Access Agent on their devices. In cases where users have the GlobalProtect app installed on their device along with the Prisma Access Agent, they can conveniently disable the Prisma Access Agent so that they can switch to the GlobalProtect app to avoid interference between the two software. Select one of the following options:
      • Disallow—Does not allow users to disable the agent. The Disable option is not available in the Prisma Access Agent app.
      • Allow—Users can disable the Prisma Access Agent using the Disable option in the settings page in the Prisma Access Agent app.
      • Allow with One Time Password—Users can disable the Prisma Access Agent using a one-time password (OTP). With this option enabled, you can obtain a one-time password (OTP) from the Inventory page (ManagePrisma Access Agent) and share it with the user. Prisma Access Agent will prompt the user to enter the OTP when they try to disable the agent.
      After disabling the agent, the user can switch to the GlobalProtect app. The following table shows the Prisma Access Agent behavior after disabling the agent and after switching to GlobalProtect.
      Prisma Access Agent BehaviorAfter Disabling Prisma Access AgentAfter Switching to GlobalProtect
      Connectivity to the tunnelNoNo
      Connectivity to the server (Prisma Access Agent management plane)YesYes
      Prisma Access agent NotificationsNoNo
      Prisma Access Agent enforcerNoNo, but GlobalProtect enforcer is enabled
      ADEM Access Experience statusYes (independent of agent status)Yes (independent of agent status)
      Troubleshooting by remote shellYesYes
      Anti-tamper featureYesYes
      PACli commands functionalYes, but don't use pacli connectYes, but don't use pacli connect
    • Support Page—Enter the website that users can access for assistance when they click Support Resources in the Prisma Access Agent.
    • Access Experience (ADEM, App Acceleration, End user coaching) (Windows & MAC only)—Specify whether to install the ADEM Access Experience agent during the Prisma Access Agent app installation and allow end users to enable or disable user experience tests from the app.
      • Install
      • No action (The agent state remains as is)
      • Uninstall
      For details about getting started with ADEM on Cloud Managed Prisma Access, see Get Started with Autonomous DEM.
    • Display ADEM update notificationsEnable this setting to display notifications from ADEM when an update is available on the endpoint.
    • Session timeout—Prisma Access Agent user sessions are created when a user connects to the gateway (location) and successfully authenticates. The session is then assigned to a specific gateway that determines which traffic to tunnel based on any defined split tunnel rules.
      Specify the amount of time that elapses before the session ends. During the session, the user stays logged in as long as the gateway receives a HIP check from the endpoint within the Inactivity Logout period. After this time, the session ends automatically. The default is 10 days. This setting is required.
    • Notify Before Session Expires—Specify when to notify the user before a session expires. You can enter a value between 0-120 minutes. The default is 0 minutes. The value must be less than the value for Session timeout.
      For example, if you set the value to 120 minutes, the Prisma Access Agent will display the notification to the user two hours before their session expires. If you don't want any notification to be displayed, set the value to 0.
      For the notification to appear on the endpoint, PAN-OS must be at version 11.2 or later.
    • Session Timeout Expiration Message— Enter a message to display to the users when their sessions are about to expire. The maximum length for the message is 127 alphanumeric characters. The user will receive the notification as part of the system notification framework on the endpoint.
    • Append Local Search Domains to Tunnel DNS Suffixes (Mac only)Enable this setting to append tunnel DNS search domains to local DNS search domains on macOS endpoints. Appending tunnel search domains to an endpoint's local DNS search domains enables users to quickly access local and remote corporate websites and servers that they visit frequently without entering the complete address.
    • Detect Proxy for Each Connection (Windows only)Enable this setting to automatically detect the proxy at every connection. Disable this setting if you want to automatically detect the proxy for the gateway connection and use that proxy for subsequent connections to Prisma Access.
    • Set Up Tunnel Over Proxy (Windows and Mac Only)Enable this setting to configure network traffic behavior based on Prisma Access Agent proxy use. Select Enable to require the Prisma Access Agent to use proxies. Disable this setting if you want to require the Prisma Access Agent to bypass proxies. Based on the Prisma Access Agent proxy use, endpoint OS, and tunnel type, network traffic will behave differently.
      If you disable this option, Prisma Access Agent will bypass the proxies. All HTTP or HTTPS traffic that matches the proxy or PAC file rules is required to traverse the Prisma Access Agent tunnel before reaching the intended destination. By bypassing proxies, you can prevent users from setting up a personal proxy to access web resources without going through the tunnel for inspection and policy enforcement.
    • Optimized MTU—The maximum transmission unit (MTU) is the largest packet size that Prisma Access Agent can send in a packet during a transmission. When enabled, Prisma Access Agent will automatically determine the best MTU to use for packet transmissions.
      Default: Enabled. You can disable this option to manually configure the MTU. The Configurable MTU (bytes) range is 576-1500 bytes. If you leave it unconfigured, the system will default to 1400 bytes. If you set a value outside this range, the text box will turn red and the Save button becomes disabled. For example:
    • Inbound Authentication Prompts from MFA Gateways—To support multi-factor authentication (MFA), a Prisma Access Agent endpoint must receive and acknowledge UDP prompts that are inbound from the gateway. Enable this setting to allow a Prisma Access Agent endpoint to receive and acknowledge the UDP prompts. This setting is enabled by default. Disable this setting to block UDP prompts from the gateway.
    • Network Port for Inbound Authentication Prompts (UDP)—Specifies the port number a Prisma Access Agent endpoint uses to receive inbound authentication prompts from MFA gateways. The default port is 4501. To change the port, specify a number 1-65535.
    • MFA Trusted Host listAdd the hosts for firewalls or authentication gateways that a Prisma Access Agent endpoint can trust for multi-factor authentication. When an endpoint receives a UDP message on the specified network port, the Prisma Access Agent displays an authentication message only if the UDP prompt comes from a trusted gateway.
    • Inbound Authentication Messages—Customize a notification message to display when users try to access a resource that requires additional authentication.
      When users try to access a resource that requires additional authentication, Prisma Access Agent receives a UDP packet containing the inbound authentication prompt and displays this message. The UDP packet also contains the URL for the Authentication Portal page you specified when you configured multi-factor authentication. Prisma Access Agent automatically appends the URL to the message.
      For example:
      You have attempted to access a protected resource that requires additional authentication. Do you want to continue?
      The message can have 255 or fewer characters.
    • Suppress Multiple Inbound MFA Prompts (sec)—Specify the number of seconds to wait before Prisma Access Agent can suppress multiple inbound UDP prompts. The default is 180 seconds.
    • Allow user to sign outEnable this setting to permit your users to sign out of the Prisma Access Agent. This setting is disabled by default.
    • Show Advanced Options—Open the menu containing advanced agent settings. For example:
      • Authentication
      • Anti-Tamper
        • Privileged Access Protection—Select this option to enable anti-tamper protection on the endpoints that meet the Match Criteria. Enabling this option reveals the anti-tamper configuration options. (Default: Disabled)
        • Tamper Protection Auto Enable Duration (min)—Specify a time window (30-480 minutes) during which privileged commands can be executed after validation. (Default: 30 minutes)
        • Privileged Access Token—Enter and confirm an emergency access password for use in critical access scenarios. The token must have 8-16 alphanumeric characters with at least one uppercase letter, lowercase letter, number, and optionally one special character from the following set: @$!%*?&
          The Privileged Access Token is required when you enable Privileged Access Protection.
        These settings are only visible to administrators with superuser privileges through RBAC controls.
      • VPN
        • Pre-logon tunnel rename timeout (min)—Specify how long, after a user logs in, the pre-logon tunnel will remain active before transitioning to a user-specific tunnel (when the pre-logon tunnel gets renamed to the user-specific tunnel).
          Default: 5 minutes. Range: 0-180 minutes.
  5. (Optional) If you don’t require your Prisma Access Agent users to connect to Prisma Access when they are on the internal network, enable Internal Host Detection. This will enable the Prisma Access Agent to determine if it's on an internal or external network.
  6. (Optional) Select a Forwarding Profile that you configured to manage how traffic flows between the agent and Prisma Access. For example, you can set up split tunnels to exclude traffic from certain applications or destinations from the tunnel while routing all other traffic through the tunnel.
  7. When you have finished setting up the Prisma Access Agent settings, click Save.

Configure Agent Settings for the Prisma Access Agent (Panorama)

For Panorama Managed Prisma Access and NGFW deployments, follow the instructions to customize how your end users interact with the Prisma Access Agent.
The Prisma Access Agent provides default agent configurations that apply to all user groups. You can add an agent configuration to customize how your end users interact with the Prisma Access Agent.
Stale Configuration Notification
(Prisma Access Agent 25.4) Your Prisma Access Agent configurations can become outdated when dependent objects, such as gateway settings or certificates, are updated on Panorama but not in the Prisma Access Agent Manager (EPM) configuration interface. When this happens, real-time alerts will appear in the configuration interface, informing you of outdated configurations that could create service outages if not handled immediately. The notifications will appear in a prominent banner across the Prisma Access Agent Setup page, alerting you of stale configurations such as:
  • Gateways that have been deleted on Panorama but actively used in the configuration interface
  • Expired or deleted authentication override certificate on Panorama that is still being used in the configuration interface
  • Outdated certificate profile in the HIP section of Agent Settings
The banner can’t be dismissed until you resolve the issue and push the configuration.
Use the following instructions for Panorama Managed Prisma Access or NGFW deployments.
  1. Navigate to the Prisma Access Agent setup.
    • For Panorama Managed Prisma Access deployments:
      1. From the Cloud Services plugin in Panorama, select PanoramaCloud ServicesPrisma Access AgentLaunch Prisma Access Agent.
      2. Select WorkflowsPrisma Access AgentSetup.
    • For Panorama Managed NGFW deployments:
      1. Log in to Strata Cloud Manager as the administrator.
      2. Select WorkflowsPrisma Access AgentSetup.
  2. Select Prisma Access AgentAdd Agent Settings.
  3. Create an app configuration rule. The configuration rule associates users or user groups with app settings that are specific to those users or groups.
    1. Enter a Name for the rule.
    2. Specify the Match Criteria by adding User Entities. Users and groups that match the User Entities criteria will receive the Prisma Access Agent app settings that you specify.
      • To deploy the configuration to all users, select Match Any.
      • To deploy the configuration to specific user groups or users, select Match Users. Then, click Select Users to select from the list of user entities. Examples of user entities include usernames and user groups, which are available in cloud directory attributes such as Common Name (CN) and Domain Component (DC).
  4. Configure the app settings for the Prisma Access Agent.
    You can configure the following app settings:
    • Connect—Specify how the Prisma Access Agent connects to Prisma Access. This setting is required.
      • Select Every time the user logs on to the machine (Always On) to automatically establish a connection to Prisma Access every time the user logs on to an endpoint.
      • Select Only when the user clicks Connect (On-Demand) to connect to Prisma Access only when the user clicks Connect (the lock icon) in the Prisma Access Agent app.
    • Disable Agent—Specify whether to give your users the ability to disable the Prisma Access Agent on their devices. In cases where users have the GlobalProtect™ app installed on their device along with the Prisma Access Agent, they can conveniently disable the Prisma Access Agent so that they can switch to the GlobalProtect app to avoid interference between the two software. Select one of the following options:
      • Disallow—Does not allow users to disable the agent. The Disable option is not available in the Prisma Access Agent app.
      • Allow—Users can disable the Prisma Access Agent using the Disable option in the settings page in the Prisma Access Agent app.
      After disabling the agent, the user can switch to the GlobalProtect app. The following table shows the Prisma Access Agent behavior after disabling the agent and after switching to GlobalProtect.
      Prisma Access Agent BehaviorAfter Disabling Prisma Access AgentAfter Switching to GlobalProtect
      Connectivity to the tunnelNoNo
      Connectivity to the server (Prisma Access Agent management plane)YesYes
      Prisma Access agent NotificationsNoNo
      Prisma Access Agent enforcerNoNo, but GlobalProtect enforcer is enabled
      ADEM Access Experience statusYes (independent of agent status)Yes (independent of agent status)
      Troubleshooting by remote shellYesYes
      Anti-tamper featureYesYes
      PACli commands functionalYes, but don't use pacli connectYes, but don't use pacli connect
    • Allow user to sign outEnable this setting to permit your users to sign out of the Prisma Access Agent. Default: Disabled.
    • Support Page—Enter the website that users can access for assistance when they click Support Resources in the Prisma Access Agent.
    • Append Local Search Domains to Tunnel DNS Suffixes (Mac only)Enable this setting to append tunnel DNS search domains to local DNS search domains on macOS endpoints. Appending tunnel search domains to an endpoint's local DNS search domains enables users to quickly access local and remote corporate websites and servers that they visit frequently without entering the complete address.
    • Optimized MTU—The maximum transmission unit (MTU) is the largest packet size that Prisma Access Agent can send in a packet during a transmission. When enabled, Prisma Access Agent will automatically determine the best MTU to use for packet transmissions.
      Default: Enabled. You can disable this option to manually configure the MTU. The Configurable MTU (bytes) range is 576-1500 bytes. If you set a value outside this range or don't specify a value, the system will default to 1400 bytes.
    • Session timeout—Prisma Access Agent user sessions are created when a user connects to the gateway (location) and successfully authenticates. The session is then assigned to a specific gateway that determines which traffic to tunnel based on any defined split tunnel rules.
      Specify the amount of time that elapses before the session ends. During the session, the user stays logged in as long as the gateway receives a HIP check from the endpoint. After this time, the session ends automatically. The default is 10 days. This setting is required.
    • Notify Before Session Expires—Specify when to notify the user before a session expires. You can enter a value between 0-120 minutes. The default is 0 minutes. The value must be less than the value for Session timeout.
      For example, if you set the value to 120 minutes, the Prisma Access Agent will display the notification to the user two hours before their session expires. If you don't want any notification to be displayed, set the value to 0.
      For the notification to appear on the endpoint, PAN-OS must be at version 11.2 or later.
    • Session Timeout Expiration Message— Enter a message to display to the users when their sessions are about to expire. The maximum length for the message is 127 alphanumeric characters. The user will receive the notification as part of the system notification framework on the endpoint.
  5. (Optional) Configure the Proxy settings.
    • Local Proxy Port (Optional)—Configure the local proxy port used for transparent proxy support. The Prisma Access Agent uses a local proxy to route outgoing connections to Prisma Access explicit proxy servers based on customizable forwarding profiles.
      Default: 9999. Range: 1024-65534.
      If the default port isn't available, Prisma Access Agent will try 50 other ports in the range of 9999-10009 and use the port that’s available. If none is available, Prisma Access Agent will use a random port assigned by the operating system. You can also enter your own port number within the range.
    • Detect Proxy for each Connection (Windows Only)Enable this setting to automatically detect the proxy at every connection. Disable this setting if you want to automatically detect the proxy for the gateway connection and use that proxy for subsequent connections to the gateway. Default: Disabled.
  6. Configure MFA settings.
    • Inbound Authentication Prompts from MFA Gateways—To support multi-factor authentication (MFA), a Prisma Access Agent endpoint must receive and acknowledge UDP prompts that are inbound from the gateway. Enable this setting to allow a Prisma Access Agent endpoint to receive and acknowledge the UDP prompts. This setting is enabled by default. Disable this setting to block UDP prompts from the gateway.
    • Network Port for Inbound Authentication Prompts (UDP)—Specifies the port number a Prisma Access Agent endpoint uses to receive inbound authentication prompts from MFA gateways. The default port is 4501. To change the port, specify a number 1-65535.
    • MFA Trusted Host listAdd the hosts for firewalls or authentication gateways that a Prisma Access Agent endpoint can trust for multi-factor authentication. When an endpoint receives a UDP message on the specified network port, the Prisma Access Agent displays an authentication message only if the UDP prompt comes from a trusted gateway.
    • Inbound Authentication Messages—Customize a notification message to display when users try to access a resource that requires additional authentication.
      When users try to access a resource that requires additional authentication, Prisma Access Agent receives a UDP packet containing the inbound authentication prompt and displays this message. The UDP packet also contains the URL for the Authentication Portal page you specified when you configured multi-factor authentication. Prisma Access Agent automatically appends the URL to the message.
      For example:
      You have attempted to access a protected resource that requires additional authentication. Do you want to continue?
      The message can have 255 or fewer characters.
    • Suppress Multiple Inbound MFA Prompts (sec)—Specify the number of seconds to wait before Prisma Access Agent can suppress multiple inbound UDP prompts. The default is 180 seconds.
  7. Configure ADEM settings.
    • Access Experience (Optional)—Specify whether to install the ADEM Access Experience agent during the Prisma Access Agent app installation and to let end users enable or disable user experience tests from the app.
      • Install
      • No action (The agent state remains as is)
      • Uninstall
    • Display ADEM update notificationsEnable this setting to display notifications from ADEM when an update is available on the endpoint.
  8. Enable Internal Host Detection if you don’t require your Prisma Access Agent users to connect to the gateway when they are on the internal network. This option will enable the Prisma Access Agent to determine if it's on an internal or external network.
    Default: Disabled
    After you enable this option, complete the following steps:
    1. Enter the IP Address (IPv4) of a host that Prisma Access Agent can resolve from the internal network only.
    2. Enter the DNS HostName that resolves to the IP address that you entered.
  9. Configure external and internal gateways for the Prisma Access Agent by selecting the external and internal gateways that you configured in the Infrastructure tab.
  10. (Optional) Select a Forwarding Profile that you configured previously to manage how traffic flows between the agent and Prisma Access. For example, you can set up split tunnels to exclude traffic from certain applications or destinations from the tunnel while routing all other traffic through the tunnel.
  11. When you have finished setting up the Prisma Access Agent settings, click Create.